On August 14, 2025, the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) announced actions targeting the founder and co-owners of the previously sanctioned cryptocurrency exchange Garantex, one of its successor platforms Grinex, and the ruble-backed A7A5 token. The designations mark the latest step in a multi-year effort to dismantle a sanctions-evasion infrastructure that has facilitated the laundering of ransomware proceeds, darknet market revenues, and other illicit transactions since at least 2019.
These measures were supported by the U.S. Secret Service’s Cyber Investigative Section, the Federal Bureau of Investigation, and international partners in Germany and Finland. They build on the March 6, 2025, multinational disruption that seized Garantex’s primary domain and froze over $26 million in cryptocurrency. That operation—one of the most significant international crackdowns on a Russian-linked virtual asset service provider—also set the stage for the rapid emergence of Grinex and the integration of the A7A5 token into its operations.
Also included in the August 14 designations was Sergey Mendeleev, a co-founder of Garantex, as well as Independent Decentralized Finance Smartbank and Ecosystem (InDeFi Bank) and Exved, entities co-owned and controlled by Mendeleev. According to OFAC, InDeFi Bank provides decentralized financial services, while Exved is a payment platform working closely with InDeFi Bank to facilitate “cryptocurrency-mediated trade” between Russia and other countries to subvert U.S. sanctions.
Garantex co-owners Pavel Karavatsky and Aleksandr Mira Serda were also designated. Serda had been named in an unsealed indictment on March 7, 2025, following the international disruption against Garantex’s domain.
From Garantex to Grinex: Evasion by Rebranding
Garantex was originally registered in Estonia, but its co-founders, Sergey Mendeleev and Stanislav Drugalev, later relocated operations to the Federation Tower in Moscow, Russia in 2019. Russian authorities subsequently raided Drugalev’s apartment in connection with Garantex’s use by cybercriminals. Drugalev initially agreed to cooperate with investigators, but later moved to Dubai, where he was killed in a suspicious car crash. Mendeleev, meanwhile, officially distanced himself from the exchange while still maintaining connections. In Russia, such corporate raids are often used by the government to establish control over an entity that may provide profit or strategic utility to members of the state apparatus.
In April 2022, Garantex was sanctioned by the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) for facilitating more than USD 100 million in illicit transactions. These included ransomware payments linked to Conti, LockBit, and Ryuk, as well as darknet market flows tied to Hydra. Even after losing its Estonian license in February 2022 due to critical AML/CFT deficiencies, the exchange continued operating, leveraging a network designed to obscure wallet attribution and preserve access for sanctioned customers.
TRM Labs analysis has shown that since its designation, Garantex has been responsible for more than seventy percent of cryptocurrency volumes to and from sanctioned entities and jurisdictions, processing hundreds of millions of dollars in illicit flows.
The March 2025 multinational takedown did not halt these activities. Instead, Garantex’s leadership quickly activated a contingency plan that appears to have been in place for months. Kyrgyz government records show that Grinex was incorporated in December 2024—well before the seizure—by an individual with no known history in the exchange business. In the days following the Garantex disruption, Telegram channels linked to the exchange began promoting Grinex as a “new platform with familiar functionality.” The similarities extended far beyond branding: Grinex replicated Garantex’s interface and operational approach, actively working to onboard former Garantex clients and facilitate the recovery of their assets.
For more read TRM’s full report on the Grinex rebrand here.
The A7A5 Token: Ruble-Backed Sanctions Evasion Tool
A central element of the transition from Garantex to Grinex was the introduction of the A7A5 token, a digital asset pegged to the Russian ruble and designed to facilitate the movement and recovery of frozen customer funds. Issued by the Kyrgyzstani firm Old Vector, A7A5 was fully integrated into Grinex’s operations as both a settlement instrument and a compensation mechanism. Former Garantex customers were credited with A7A5 in amounts equivalent to their frozen balances, which could then be traded or redeemed on the new platform.
The token’s origins trace directly to A7 LLC, a Russian cross-border settlement platform owned by sanctioned Moldovan oligarch Ilan Shor and sanctioned Russian bank Promsvyazbank. Related subsidiaries, A71 LLC and A7 Agent LLC, form part of the same infrastructure. Prior to the March 2025 enforcement action, Garantex executives met with representatives of Shor to arrange for A7A5’s listing and trading on Garantex—evidence of deliberate coordination between the exchange and the A7 financial network.
On-chain analysis by TRM Labs shows that Garantex wallets began moving funds into A7A5 as early as January 2025, weeks before the takedown, underscoring foreknowledge of impending enforcement and the intent to establish a sanctions-resistant value-transfer channel. One key address—TNDjh6WGLYyWmkh8vfu42bXVHUqFNQ3rDq—was later labeled by OFAC as a Garantex-controlled wallet and independently flagged by TRM Labs for its role in the early movement of A7A5. This address represents a critical on-chain link between the sanctioned exchange and the newly deployed token.
Meer Exchange and Its Role in the A7A5 Ecosystem
Meer was among the first cryptocurrency exchanges to list A7A5, the Russian ruble-pegged stablecoin used to transfer funds from the sanctioned exchange Garantex to its successor platform, Grinex. The overlap is striking: Meer exhibits the same spending heuristics, and features an identical trading interface to other entities in the Garantex–Grinex network.
Domain records show that Meer’s website was registered on December 9, 2024—contemporaneous with the establishment of both Grinex and A7A5. This timing, coupled with its technical and operational similarities, points to coordinated development. Despite its brief operational lifespan, Meer experienced a pronounced surge in trading volume in the months immediately following the March 2025 multinational law enforcement action against Garantex, suggesting it may have served as an additional channel for sustaining flows connected to the network’s illicit financial activity.
Garantex’s Role in the Illicit Finance Ecosystem
The integration of A7A5 into Grinex represents only the most recent chapter in Garantex’s long-standing role in illicit finance. Both before and after its designation by the U.S. Treasury, Garantex operated as a key conduit for ransomware laundering, darknet market transactions, sanctions evasion, and the movement of funds through high-risk Russian financial networks.
Russian-speaking ransomware groups—including Ryuk, Conti, and LockBit—channeled substantial proceeds through the exchange. Ryuk alone laundered more than $2.3 million via Garantex, using the platform to convert illicit cryptocurrency into fiat currency. The exchange also served as a primary financial enabler for Hydra Market, the largest darknet marketplace in history, until Hydra’s takedown in 2022. Tens of millions of dollars flowed from Hydra through Garantex, supporting transactions for ransomware-as-a-service, hacking tools, stolen data, and illicit narcotics.
Following Hydra’s closure, successor darknet markets collectively expanded their operations, with many retaining significant transactional exposure to Garantex. In parallel, the exchange played a central role in sanctions evasion, frequently operating alongside other high-risk platforms such as Iran-based Nobitex and Russia-based Bitpapa and NetEx24. Together, these entities facilitated cryptocurrency flows into sanctioned jurisdictions and provided critical financial pathways for sanctioned Russian entities seeking to bypass international restrictions.
Kyrgyzstan’s Role as a Sanctions Evasion Hub
The emergence of Grinex and the A7A5 token is closely tied to the broader geopolitical and economic deepening of relations between Russia and Kyrgyzstan. Since Russia’s invasion of Ukraine in 2022, bilateral trade between the two countries has grown significantly, bolstered by substantial volumes of parallel imports that include dual-use goods with potential military applications.
Kyrgyzstan’s January 2022 “On Virtual Assets” law established the first comprehensive licensing framework for virtual asset service providers (VASPs) in the country. This legislation transformed the sector from negligible activity into a multi-billion-dollar market in just two years. According to a recent TRM report, by October 2024, Kyrgyz authorities had issued 126 VASP licenses, and transaction volumes among licensed providers reached $4.2 billion in the first seven months of that year.
While the regulatory structure provides a formalized legal foundation, it has also attracted entities engaged in sanctions evasion. Companies linked to A7A5—such as Old Vector and Trust Corporation—exhibit common hallmarks of shell entities, including registration at residential addresses and overlapping ownership structures. Kyrgyzstan’s position as a transit hub for goods moving from China into Russia, including semiconductors, drone components, and other dual-use items, has further intertwined its rapidly expanding crypto sector with broader sanctions evasion networks.
Enforcement and Compliance Implications
The OFAC action against Grinex and the A7A5 token underscores both the resilience and the strategic adaptability of sanctioned actors. Entities such as Garantex increasingly appear to prepare contingency plans well in advance of anticipated enforcement measures, ensuring a rapid and coordinated migration of clients, infrastructure, and illicit financial flows to successor platforms.
The case further illustrates how fiat-pegged tokens—often marketed as routine settlement or compensation instruments—can be repurposed into core components of sanctions-evasion strategies when linked to opaque corporate networks and sanctioned financial institutions. Jurisdictions with emerging or lightly enforced virtual asset regulatory regimes remain especially vulnerable to such exploitation, particularly when their geopolitical and economic priorities align with those of sanctioned states.
For compliance teams, the Garantex–Grinex–A7A5 nexus serves as a critical case study in the importance of proactively monitoring the migration of illicit activity, applying enhanced due diligence to fiat-pegged tokens with non-transparent governance, and maintaining rigorous scrutiny of virtual asset service providers operating from high-risk jurisdictions. Under the August 2025 designations, all property and interests in property of Grinex, A7 entities, Old Vector, and their principals within U.S. jurisdiction are blocked, and U.S. persons are prohibited from conducting any transactions with them. Non-U.S. financial institutions that continue to facilitate dealings with these actors risk exposure to secondary sanctions, significantly extending the extraterritorial reach of U.S. enforcement.
Related posts
Access our coverage of TRON, Solana and 23 other blockchains
Fill out the form to speak with our team about investigative professional services.
